Mirrors/linux-baseline
2
0
Fork 0
mirror of https://github.com/dev-sec/linux-baseline synced 2024-11-26 04:50:21 +00:00
Code Issues Projects Releases Packages Wiki Activity

added sysctl-34 for checking link protection settings (#160)

Browse source 
Common and long-standing exploits regard unprotected links, fifos and
regular files, which are created or controlled by an attacker to gain
access to other files or control over other programs.

Signed-off-by: Claudius Heine <ch@denx.de>
This commit is contained in:
Claudius Heine 2021-10-19 15:11:46 +02:00 committed by GitHub
parent 2735730e7f
commit 00d24baa66
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
controls/sysctl_spec.rb
View file

@ -407,3 +407,22 @@ control 'sysctl-33' do
end end
end end
end end
control 'sysctl-34' do
impact 1.0
title 'Ensure links are protected'
desc 'Protects against common exploits in regards to links, fifos and regular files created or controlled by attackers'
only_if { !container_execution }
describe kernel_parameter('fs.protected_fifos') do
its(:value) { should match cmp(/(1|2)/) }
end
describe kernel_parameter('fs.protected_hardlinks') do
its(:value) { should eq 1 }
end
describe kernel_parameter('fs.protected_regular') do
its(:value) { should eq 2 }
end
describe kernel_parameter('fs.protected_symlinks') do
its(:value) { should eq 1 }
end
end